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ABSTRACT 



A data processor with memory within a single inte- 
grated circuit package provides a programmable **se- 
cure mode'* of operation Co selectively restrict access 
and protect information stored in its memory. The se- 
cure mode of c^>eration is included in addition to a 
"single chip mode" wherein the data processor accesses 
both data and instructions strictly firom within the single 
integrated circuit package. An **expanded mode" of 
operation also exists wherein the data processor may 
access either internal or external memory for both in- 
structions and data. The secure mode of operation re- 
stricts accesses of instructions to memory contained 
within the single integrated circuit while allowing data 
accesses to memory either internal or external to the 
integrated circuit. The secure mode b accomplished by 
selectively isolating internal data/instruction bus trans- 
fer activity from an external data/instruction b;is. 
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first control signal is tsseited and in response to the 
INTEGRATED CIRCUIT MICROC ONTR OLLER third control signal. 
WITH ON-CHIP MEMORY AND EXTERNAL BUS These and other features, and advantages, wUl be 
INTERFACE AND PROGRAMMABLE moft clearly understood from the following detailed 

MECHANISM FOR SECURING THE CONTENTS 9 description taken in conjunction with the accompany- 
OF ON-CHIP MEMORY igg drawings. 

FIELD OF THE INVENTION BRIEF DESCRIPTION OF THE DRAWINGS 

This invention relates generally to data processors FIO. 1 iUustrates in block diagram form a date pro- 

with memory, and more particularly to security>of in- cessing system in accordance with the present invcn- 

formation stored in memory used by date processors. tion; and 

„ ^^r^^—r^^j FIG, 2 illustrates in logic diagram form the instruc- 

BACKGROUND OF THE INVENTION ^ ^^^^ ^ datTprocessing system of 

Memory elements contained within an integrated FIG. 1. 
circuit package having a dau processor, such as a mi- nponpiimoM of a PUFFFRRm 
crocontroUcr unit (MCU) are typicaDy used to store ^^^^S^^.^I^^^^^ 
control programs, data, and other information. Such KMHUUiMtiiN i 
memory elements include but are iK>t limited to ROM, Shown in FIO. 1 is a block diagram of a data process- 
RAM, EPROM. EAPROM, or EEPROM. There » ing system 10, comprised generally of a single inte- 
oftcn a need to prevent read or write accesses to these ^ g^ted dicuit package portion 11 and a peripheral por- 
metnory elements for various security reasons. A ^^^^ ^ ^^ving an external peripheral device. The intc- 
known security method for protecting unauthorized ^^^^ package portion 11 has a memory 13, a 
reading of the contents of memory elements used wtthm processor 14, a decoder 16, an instruction inhibit 
a date processor is accomplished with the use of a soft- ^ programmable security device 20. 
ware programmable bit in a mmory configuration rcg- ^ integrated circuit package portion 11, memory 
ister. When the progjaxnmable bit is placed m an acdvc ^ conneci«l to the date processor 14 with an address 
state, the bit cai«es the ^ Pj^^^^ u^Z^ bus 22 and a dataAnstruction bus 24. The data processor 
Se'ditr^r^Jri^^^^^^ 14 is connected to the i^^^ 
£l«^<L>^ory for instructions and^dau, as op- » the <Uta>^cuonbus 24 and a control bus 26^Con. 
pS^ to adtLsing memory external to the chip. How- trol bus 26 is comiected from a first control output of 
S^because chij memoiV space within the chip is the data pro^r 14 to a first control mput of the 
tvDi<Ully limited, the instructions and data contained instruction inhibit cucuit 18 and contains two control 
within ic chip are also limited in size. If the controller «gnals. a "Date Read" signal and a "Date Write" signal, 
programs or dau increase in size within the chip, larger 35 A second control output bus 28 is connected from a 
on-chip memory is required to maintain security of the second control output of date processor 14 to a control 
memory elements when operating in a single-chip input of decoder 16. An output of decoder 16 is a signal 
mode. Another disadvantage with a security feature labeled "Instruction Fetch" and is connected to a sec- 
requiring a single-chip mode of operation is the inability ' ond control input of the instruction inhibit circuit 18. In 
to communicate with any peripheral devices external to 40 the illustrated form, the Instruction Fetch and Date 
the chip. Accordingly, a more general purpose, flexible Read signals may not both be active at the same time, 
and inexpensive solution is required for maintaining The progranunable security device 20 has an output for 
security of internal memory elements while expanding providing a signal labeled "Enable" that is connected to 
the microcontroller system. ^ control input of the instruction inhibit circuit 18 
SUMMARY OF THE INVENTION i» "ctivated in i«pon,e to an input -Control" sig- 
nal. The pcnpheral portion 12 ts connected to memory 

Accordingly, there is provided, in one form, a data j3 processor I* by address bus 22. Peripheral 

processing system comprising an integrated circuit for portion 12 is connected to the instruction inhibit circuit 

coupling at least one peripheral device thereto. The jg ^ data/instruction bus 30. 

integrated circuit has memory with progrunmable se- 50 ^ , ^plications for a dau proces- 

cnrity from tmauthoriied observation of mtemal pro- ^ ^^^^ ^ processing system 10 of FIG. 1. 

cessing operations in mponsc to receipt of externally mpUcttion is in the area of control applications 

provided signals. The integrated circuit oanpnses a ^ pay-for-view TV control. When data processor 

processing umt for recovmg and P"«;^^5» "P^ „ m is ^leased from a reset condition, it fiirt addresses 

instructions from at least one P^V^f^^^^^^ " memory locations either contained within the inte- 

coding the -^"^ grated drcuit portion 11 or within «. extemd memory 

control "8««1»*=^*^^ Speripheral portion 12, depending on how the system 

receive an i, i^V»«d. Data pioce^r 14 Leives instiMctions 

the DTOcessma umt for recesvmg addresses trom tne *™ * . . • . / . n * * j\ - . 

StS^St and providing dLa or instructions in 60 mmahrmg inters (not Jlustrated) mter- 

S^e diereto. A programmable security device re- n»l to data processor 14. Once the mituluaton proc«s 

ceivet a second control Jgnal having a value controlled u complete, date processor 14 executes mstrucuons by 

by a user of the system. The second control signal ena- addressmg memory external to the mtegrated circuit 

bles the programmable security and a third control portion 11 of system 10, for the purpose of controUmg 
signal is provided in response thereto. An instruction 65 peripherals, either internal or external to the integrated 

inhibit portion is coupled to both the programmable circuit portion of date processmg system 10. that ena- 

security device and the processing unit for selectively bles viewing of TV programs in accordance with prede- 

inhibiting extemaUy provided instructions when the termined guidelines or permissions. 
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In operation, tyttcm 10 of FIG. 1 is generally operat- 
ing in one of three modes. The first of the three opera- 
dona] modes is a **single chip mode". The single chip 
mode of operation requires data processor 14 to address 
predetermined memory locations of memory 13 via 
addms bus 22 for the purpose of either reaxling instruc- 
tions and data from memory 13 or writing data to mem- 
ory 13. Predetermined addresses are provided at an 
address output of data processor 14, while data and 
instmctioos are coupled to each of memory 13 and data 
processor 14 by data/instruction bus 24. The single chip 
mode is characterized by the fact that only memory 13 
and dau processor 14, along with address bus 22 and 
data/instruction bus 24 are utilized. 

A second mode of operation of system 10 is an "ex- 
panded mode". In the expanded mode of operation, 
data/instruction bus 30 is coupled to data/instruction 
bus 24 by the instruction inhibit circuit 18, which is 
effectively transparent in expanded mode operation. In 



10 



IS 



signal. Programmable security device 20 may be imple- 
mented as any type of nonvolatile storage device mean- 
ing that the state of the Enable signal remains valid even 
if power is removed from data processing system 10. 
Therefore, in one form programnuble security device 
20 may be implemented with a nonvolatile memory. 
The isolation buffers of FIG. 2 are controlled by the 
combinational logic of inverter 50, AND gate 52, OR 
gate 54, by the Date Read and Dau Write control sig- 
nals provided by control bus 26, and by the Enable and 
Instruction Fetch ccmtrol signals. The illustrated logic 
gates of FIG. 2 function to decode the received control 
signals. When the DaU Write signal of FIG. 2 is active, 
each of the isolation buffer pairs of FIG. 2 connects a 
predetermiiMd data bit from data/instnurtion bus 24 to 
data/instniction bus 30. When the Data Read signal is 
active, data from data/instruction bus 30 is connected to 
data/instruction bus 24. When the Instruction Fetch 
signal of FIG. 2 is active and the Enable signal is inac- 



the expanded mode of operation, dau processor 14 can 20 tive, instructions from data/instruction bus 30 arc con- 



access either ntemory 13 or peripheral portion 12 for 
both instructions and daU. Expanded mode operation 
utilizes memory 13, daU processor 14, address bus 22, 
data/instruction bus 24, data/instruction bus 30 and 



nected to data/instruction bus 24. When the Enable 
signal is active, instructions are read only from memory 
13 and the isolation buffers of FIG. 2 are switched off to 
provide isolation between data/instruction buses 24 and 



instruction mhibit circuit 18. Since expanded mode 23 30. Further, when the Enable signal is active, instruc- 



operation allows daU processor 14 to read instructions 
from peripheral portion 12, the instructions presented to 
daU processor 14 via data/instruction buses 24 or 30, 
may be readily observed or interrupted for the purpose 
of reading or modifying the contents of memory 13; 
therefore the expanded mode of operation is not secure. 

A third mode of operation of system 10 is a "secure 
mode". The secure mode of operation affects the inter- 
action of memory 13, daU processor 14, decoder 16, 
programmable security device 20, address bus 22, dau- 
/instruction buses 24 and 30, and control buses 26 and 
28 which are contained within integrated circuit pack- 
age portion 11 and peripheral portion 12 contained 
within daU processing system 10. 

Illustrated in FIG. 2 is a logic diagram of the instruc- 
tion inhibit circuit 18 of FIG. 1 and generally compris- 
ing an inverter 50, an AND gate 52, an OR gate 54 and 
one or more pair of isolation buffers such as an isolation 
buffer pair 56 comprising buffers 58 and 60. An input of 
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tions present on data/instruction bus 24 are non-inter- 
ruptible and non-visible from outside the single inte- 
grated circuit package portion 11 of FIG. 1. Since the 
instructions present on data/instruction bus 24 are iso- 
lated from data/instruction bus 30, the single integrated 
circuit package portion 11 of FIG. 1 is operating in a 
secure mode. 

It should be well understood that information resid- 
ing in the memory of microcontrollers can be of a pro- 
prietary nature. The need to prevent access to this iiifor- 
mation is a major concern in many system designs. The 
secure mode of operation is a mix between the single 
chip and the expanded modes of operation. In the se- 
cure mode of operation, instruction read cycles per- 
formed by the dau processor are con&ied to the daU 
processor as in the single chip mode, whereas dau reads 
and writes initiated by the daU processor can be made 
either internal or external to the daU processor in an 
expanded mode of operation. The secure mode of oper- 



inverter 50 receives the Enable signal from programma- 4S ation provided herein is an effective and economical 
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ble security device 20 of FIG. 1. A first input of AND 
gate 52 b connected to an output of mverter 50, and a 
second input of AND gate 52 is connected to the In- 
struction Fetch signal of decoder 16 of FIG. 1. A first 
input of OR gate 54 is connected to an output of AND 
gate 52, and a second input of OR gate 54 is connected 
to the Dau Read signal contained within control bus 26 
of FIG. 1. An output of OR gate 54 provides an output 
signal labeled ^Read Instruction/Dau". Each isolation 
buffer pair, such as buffers 58 and 60, has a first control S3 
input for receiving the Read Instruction/Dau signal 
and a second control input for receiving the Dau Write 
signal. Each isolation buffer pair is coxmected to dau- 
/instruction bus 30 and data/instruction bus 24 of FIG. 
1. 

In operation, decoder 16 of FIG. 1 decodes control 
information from dau processor 14 and provides an 
active high Instruction Fetch signal if dau processor 14 
is fetching an instruction. In the illustrated form, an 
active signal is a logic high signal, the Enable signal 65 
provided by programmable security device 20 is acti- 
vated when the dau processing system 10 of FIG. 1 is 
to operate in the secure mode in response to the Control 



solution to isolate instruction information of a dau pro- 
cessor while allowing the dau processor to read or 
write non-proprietary dau exterxul to the dau proces- 
sor. It should also be apparent that other operations 
than the operations detailed herein may be performed 
within system 10 during each of the single chip and 
expanded modes of operations. Therefore, the present 
invention may be considered as having a plurality of 
single chip modes and expanded modes of operation. 
However, regardless of the variety of operations con- 
sidered permissible within a single chip or expanded 
mode of operation, the functionality of the secure mode 
insures that memory 13 may not be read or modified by 
unauthorized sources external to the single integrated 
60 circuit package. 

By now it should be apparent that there has been 
provided a dau processor with memory having a pro- 
grammable controlled security feature. There are many 
additional configurations for implementing the inven- 
tion described above. For example, the memory device 
in FIG. 1 could include volatile as well as non-volatile 
memory or combinations thereof. Multiple memory 
devices may be used. Memory matugement circuits 
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may be included within the microcontroller. System 10 
may be implemented with separate data and instruction 
buses. Multiple interna] and external peripheral devices 
may be added and a variety of peripheral devices may 
be utilized. Inhibit circuit 18 or decoder l€ may be ' 
integrated within dau processor 14, and any memory 
device may be used for programmable security device 
20 including fusible links. The logic gates and isolation 
buffers of FIG. 2 could include further decoding to 
define a limited address range of data accesses. The 
isolation buffers may be implemented using MOS, bipo- 
lar, or any other types of transistors. 

While there have been described herein the principles 
of the inventiont it is to be clearly understood to those ]5 
skilled in the art that this description is made only by 
way of example and not as a limitttion to the scope of 
the invention. Accordingly, it is intended, by the ap- 
pended claims, to cover all modifications of Uie inven- 
tion which faU within the true spirit and scope of the 20 
invention. 

What is claimed is: 

1. An integrated circuit microcontroller comprising: 
a data processor; 

an address bus coupled to the data processor; 
a data bus coupled to the data processor; a control bus 

coupled to the data processor for carrying a data 

write control signal and a data read control signal 

provided by the data processor; 
a memory coupled to the address bus and to the data 

bus; 

instruction fetch sensing means coupled to the data 
processor for determining when the data processor 
is fetching an instruction and for activating an in- 
struction fetch control signal when the data proces- 
sor is fetching an instruction; 

a programmable security device for providing a se- 
cure mode enable si^ial in response to a control 
signal when the microcontroller is to operate in a 40 
secure mode, and 

an external bus interface coupled to the address bus 
and to the data bus and coupled to receive the 
instruction fetch control signal and the secure 



6 

mode enable signal, the external bus interface fur- 
ther comprising: 
a plurality of bi-directional buffers, each bi-direc- 
tional buffer having a first data terminal connected 
to a bit of the data bus, a second dau terminal 
connected to a bit of an external data bus, a first 
control input coupled to receive said data write 
control sipial from the dau processor and a second 
control input coupled to receive a read control 
signal, each of the plurality of bi-directional buffers 
farther comprising: 

i) first buffer means having an input coupled to said 
bit of the daU bus, an output coupled to said bit 
of the external dau bus and a control input cou- 
pled to receive the dau write control signal, the 
first buffer means is for coupling the input to the 
output when the dau write control signal is ac- 
tive; and 

ii) second buffer means having an input coupled to 
said bit of the external dau bus, an output cou- 
pled to said bit of the dau bus and a control input 
coupled to receive the read control signal, the 
first buffer means is for coupling the input to the 
output when the read control signal is active; and 

logic means having a first input coupled to receive 
the secure mode enable signal, a second input cou- 
pled to receive the instruction fetch control signal, 
a third input coupled to receive said dau read 
control signal from the dau processor and an out- 
put for producing the read control signal, the logic 
means is for producing an active read control sig- 
nal if the dau read control signal received from the 
dau prtKessor is active or, if the instruction fetch 
control signal is active and the secure mode enable 
signal is inactive, but not for producing said active 
read control signal if the instruction fetch control 
signal is active and the secure mode enable signal is 
also active, whereby the dau processor is pre- 
vented from fetching an instruction external to the 
microcontroller. 
2. An integrated circuit microcontroller according to 
claim 1 wherein the programmable security device fur- 
ther comprises: a non-volatile memory. 

• ♦ • • • 



50 



55 



60 



63 



10/16/2003, EAST version: 1.04.0000 



